Lessons from the Gmail Privacy Scare of 2004

Last night, Declan McCullagh of CNet posted twotweets related to the concerns already percolating in the privacy community about a new Apple and Android app called “Color,” which allows those who use it to take photos and videos and instantaneously share them with other people within a 150-ft radius to create group photo/video albums. In other words, this new app marries photography, social networking, and geo-location. And because the app’s default setting is to share every photo and video you snap openly with the world, Declan wonders “How long will it take for the #privacy fundamentalists to object to Color.com’s iOS/Android apps?” After all, he says facetiously, “Remember: market choices can’t be trusted!” He then reminds us that there’s really nothing new under the privacy policy sun and that we’ve seen this debate unfold before, such as when Google released its GMail service to the world back in 2004.

Indeed, for me, this debate has a “Groundhog Day” sort of feel to it. I feel like I’ve been fighting the same fight with many privacy fundamentalists for the past decade. The cycle goes something like this:

an innovative new information-sharing / social networking technology appears on the scene.

the technology encourages more information production / sharing and defaults to sharing as the norm (but usually with opt-out capabilities or privacy settings of some sort built in).

importantly, the technology in question is almost always free to consumers.

immediately, a vociferous crowd of privacy fundamentalists lament the announcement and calls for the technology or service to be rolled-back or even regulated by the government. At a minimum, major design changes (usually an opt-in privacy default) are requested. These advocates usually ignore or downplay the inherent quid pro quo involved in the deal, i.e., you share some info and tolerate some ads to get the free goodies.

most privacy-agnostic people (like me!) usually yawn, sit back and enjoy the new free goodies, and wonder what all the fuss is about. In other words, over time (and usually fairly quickly), social norms adjust to the new technologies and modes of sharing.

In this regard, my favorite case study of this process in action is the one that Declan already mentioned: Gmail. It’s easy to forget now, but back in 2004 there was quite a hullabaloo over the introduction of Gmail. Indeed, the privacy fundamentalists wanted it stopped cold. Letters started flying from privacy groups, sent first directly to Google itself (31 groups signed this letter asking the company to roll back the service), and then to the attorney general of California requesting an investigation following an immediate suspension of the service. Those signing that particular letter (Chris Jay Hoofnagle of EPIC, Beth Givens of Privacy Rights Clearinghouse, and Pam Dixon of the World Privacy Forum) also warned of civil and criminal penalties and private rights of action.

It was at about that time that, well, I blew my top. After seeing some traffic on Declan’s old “Politech” listserv about this, and fearing that action might be forthcoming by government officials aimed at restricting this new technology, I fired off this response to the Gmail-haters on April 30, 2004:

-------- Original Message --------
Subject: RE: [Politech] EPIC letter compares Gmail to FBI's Carnivore,
Total Information Awareness [priv]
Date: Fri, 30 Apr 2004 09:16:54 -0400
From: Adam Thierer <athierer@private>
To: Declan McCullagh <declan@private>
Oh brother, I can't take this lunacy from the privacy absolutists anymore:
(1) What part of VOLUNTARY is it that these privacy fundamentalists do
not understand? How many times and in how many ways must it be said: YOU
DO NOT HAVE TO SIGN UP FOR THIS FREE SERVICE!
(2) Second, these privacy absolutists persistently attempt to equate
private sector privacy concerns and government privacy violations. There
is a world of difference between the two and it basically comes down to
the fact that governments hold guns to our heads and coercively force us
to do certain things against our will. That is the real Big Brother
problem. Google, by contrast, isn't holding a gun to anyone's head and
forcing them to sign up.
(3) If you're concerned about how government might co-opt this service
for its own nefarious ends, that is not a Google problem, that is a Big
Government problem. Let's work together to properly limit the
surveillance powers of government instead of shutting down any new
private service or technology that we feel the feds might have to chance
to abuse.
(4) Final point about these privacy fanatics: Do they not believe in
freedom of contract? Do I or do I not have a right to contract with a
company to exchange certain forms of personal information for a the
right to free e-mail access and storage? Can I not VOLUNTARILY agree to
such a deal? If not, then I fear that there are a heck of lot of things
in this world that these people would make illegal in the name of
"protecting privacy."
Do they believe that companies like Google will - - out of the goodness
of their hearts - - just hand over free e-mail services and massive
storage capacity to everyone without anything in exchange? There is no
free lunch in this world but Google is giving us about the closest thing
to it. And yet, the privacy fanatics want to reject that offer on the
behalf over everyone in society. Well guess what EPIC... you don't speak
for me and a lot of other people in this world who will be more than
happy to cut this deal with Google. So do us a favor and don't ask the
government to shut down a service just because you don't like it.
Privacy is a subjective condition and your value preferences are not
representative of everyone else's values in our diverse nation. Stop
trying to coercively force your values and choices on others. We can
decide these things on our own, thank you very much.

It turns out that I didn’t really have as much to fear as I thought when I fired off that angry email. Most people immediately embraced the new Gmail service. And why wouldn’t they? It was an amazing innovation at just the right price — free! Don’t forget that, at that time, Yahoo! mail (the leading webmail provider) offered customers less than 10 megabytes of email storage. By contrast, Gmail offered users an astounding gigabyte of storage that would grow steadily over time. Rather than charging some users for more storage or special features, Google paid for the service by showing advertisements next to each email “contextually” targeted to keywords in that email — a far more profitable form of advertising than “dumb banner” ads previously used by other webmail providers. That raised some privacy concerns, but it also offered users the ultimate email free lunch. And they ate it up.

Today, 190 million+ people around the world use Gmail and the service continues to evolve to meet the needs of users. While I’m not a fan of Gmail’s spartan user interface and lack of other useful features found in other services (like Outlook loaded up with Xobni), there’s no doubt that Gmail has been a terrific boon to consumers. But we should not so easily forget that some people wanted to preemptively kill it by imposing the equivalent of what I have called a “Privacy Precautionary Principle” and stopping innovation before they had given it their blessing.

Again, as I noted in my 2004 rant above, many privacy fundamentalist too often forget that privacy is a highly subjective and ever-changing condition. As Abelson, Ledeen, and Lewis noted in their excellent recent book, Blown to Bits:

The meaning of privacy has changed, and we do not have a good way of describing it. It is not the right to be left alone, because not even the most extreme measures will disconnect our digital selves from the rest of the world. It is not the right to keep our private information to ourselves, because the billions of atomic factoids don’t any more lend themselves into binary classification, private or public. (p.68)

This struggle to conceptualize privacy and then protect it is going to continue and become quite a heated debate at times. I want to be clear, however, that while I do not share the values of those in the privacy fundamentalist camp, I do understand and appreciate that there are some people who are hyper-sensitive about this issue and I’m fine with them pressuring companies to change their privacy policies or, better yet, encouraging them to offer more tools that will allow users to better manage their own privacy. I think Microsoft, Facebook,Yahoo! and Google (among many others) have made some amazing strides in this regard and some of the credit must go to the hard-core privacy advocates for pushing them to offer more flexible privacy-enhancing tools and settings for those who demand them.

But let’s be clear about another thing: This should be an evolutionary, experimental process. Educating and empowering consumers to handle their personal privacy settings is a wonderful thing. On the other hand, making those decisions for consumers preemptively, as some privacy advocates often seem to want to do, is an entirely different matter. A Privacy Precautionary Principle mentality — as we saw in display in the early spat over Gmail — would have resulted in hundreds of millions of people being denied an amazingly innovative new service based on largely on phantom fears and conjectural “harms.” It is better to let these things play out in the information marketplace and see what the ongoing interaction of consumers and companies yields in terms of new innovation and new privacy settings / norms. Those new settings and norms may not always be to the liking of some privacy fundamentalists, or even to privacy agnostics like me, but that experimental, evolutionary, organic process remains the right way to go if we value both progress and liberty.

Adam Thierer / Adam is a senior research fellow at the Mercatus Center at George Mason University. He previously served as President of the Progress & Freedom Foundation, Director of Telecom. Studies at the Cato Institute, and Fellow in Economic Policy at the Heritage Foundation.